Crocodilus Android Trojan Adds Crypto Wallet Heist Tools in Global Expansion
Android banking trojan Crocodilus has launched new campaigns targeting crypto users and banking customers across Europe and South America.
First detected in March 2025, early Crocodilus samples were largely limited to Turkey, where the malware posed as online casino apps or spoofed bank apps to steal login credentials.
Recent campaigns show it now hitting targets in Poland, Spain, Argentina, Brazil, Indonesia, India and the US, according to findings from ThreatFabric’s Mobile Threat Intelligence (MTI) team.
A campaign targeting Polish users tapped Facebook Ads to promote fake loyalty apps. Clicking the ad redirected users to malicious sites, delivering a Crocodilus dropper, which bypasses Android 13+ restrictions.
Facebook transparency…